Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 4 Aug 2012 16:11:18 -0800
From: Royce Williams <>
Subject: OS X keychain single empty/spaces result, but guessing continues?

I'm working on a Mac OS X keychain recovery.  The target file was
generated with keychain2john from an unaltered login.keychain.

$ john -i=all keychain.txt
Loaded 1 password hash (Mac OS X Keychain PBKDF2-HMAC-SHA-1 3DES [32/64])

If I hit return shortly after the run starts, I get the expected
no-results-yet output:

guesses: 0  time: 0:00:00:02 0.00%  c/s: 664  trying: 0100022 - spacy

... but shortly afterwards, the following appears (preceded by 17 spaces):


Such output seems similar to standard results output, but it is spaces
only (verified with cat -e and hexdump).

Once that appears, further status output indicate that one guess has succeeded:

guesses: 1  time: 0:00:00:13 0.07% (ETA: Sat Aug  4 19:49:55 2012)
c/s: 1197  trying: 151480a - 161994

The guessing continues as if more work remains -- but since there is
only one line in the file, this seems counter-intuitive.

$ wc -l keychain.txt
       1 keychain.txt

>From what I've read, a truly empty keychain is unlikely, and manual
attempts to use 1 to 16 spaces do not succeed, so I'm a bit stumped.

I get the same result on multiple users from the same system.  I also
get the same result on these platforms:

1.7.9-jumbo-6_omp [linux-x86-64-native]
1.7.9-jumbo-6_omp [freebsd-x86-64]

Please administer a clue-bat if I'm missing something obvious -- and
thanks for the recent keychain work.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.